Efficient Equality Test on Identity-Based Ciphertexts Supporting Flexible Authorization

In the cloud, uploading encrypted data is the most effective way to ensure that the data are not leaked. However, data access control is still an open problem in cloud storage systems. To provide an authorization mechanism to limit the comparison of a user’s ciphertexts with those of another, public key encryption supporting the equality test with four flexible authorizations (PKEET-FA) is presented. Subsequently, more functional identity-based encryption supporting the equality test (IBEET-FA) further combines identity-based encryption with flexible authorization. The bilinear pairing has always been intended to be replaced due to the high computational cost. Hence, in this paper, we use general trapdoor discrete log groups to construct a new and secure IBEET-FA scheme, which is more efficient. The computational cost for the encryption algorithm in our scheme was reduced to 43% of that of the scheme of Li et al. In Type 2 and 3 authorization algorithms, the computational cost of both was reduced to 40% of that of the scheme of Li et al. Furthermore, we give proof that our scheme is secure against one-wayness under the chosen identity and chosen ciphertext attacks (OW-ID-CCA), and indistinguishable against chosen identity and chosen ciphertext attacks (IND-ID-CCA).


Introduction
With the application of the Internet increasingly spreading, people have more extensive storage and computing requirements for cloud servers. Users make full use of cloud servers, allowing cloud servers to help them in storing and processing data, reducing the user's storage burden and computing overhead. Users in different regions can upload data onto and download data from a server, which provides convenience for users to share data. However, servers are also vulnerable to some attacks. If users store their data unencrypted in the cloud server, attackers or malicious internal administrators may access the data stored by users. The solution is for every user to upload encrypted data onto the cloud server. Previous classical encryption schemes cannot realize direct searches or calculations in the ciphertext.In a searchable encryption scheme [1], the ciphertext and trapdoor for retrieval need to be obtained with the same public and private key pair.
A novel PKEET scheme [2] was first proposed by Yang et al. in 2010. In this scheme, users can test whether ciphertexts encrypted by different public keys contain the same plaintext without decrypting the ciphertext, which avoids the previous limitations of searchable encryption. However, in the scheme, anyone can test the encrypted data, which can lead to data leakage. Taking into account better meeting practical applications, Tang proposed a fine-grained equality test scheme [3] that can achieve fine-grained authorization by sending tokens to a proxy. The equality test of flexible authorization for more scenarios was proposed in [4], in which there were different authorizations to meet the different needs of users, and different authorization types corresponded to different test permissions. It can not only perform the equivalence testing of ciphertext that was encrypted without the same public key, but also designate testers, which better protects the privacy of the A new concept of public key encryption with keyword search (PEKS) was proposed by Boneh et al. [1] in 2004 that allows for direct keyword searches in ciphertext without decrypting the ciphertext. A user can generate the corresponding trapdoor of some keyword by using its private key and perform a keyword search in the ciphertexts with the trapdoor. Subsequently, many related variants were proposed [8][9][10]. Bellare et al. [11] proposed a deterministic PKE scheme. Yang et al. [2] devised a ciphertext-based equality test scheme using bilinear groups for searchable and classified encrypted data. However, in that scheme, anyone could perform the test, so it is easy for it to cause data leakage, which is not conducive to data privacy. Tang [3] presented a new method where two users could authorize a proxy to execute equality calculation on their encrypted message by issuing tokens. Tang [12] gave a new PKE in a two-proxy model supporting fine-grained authorization (FG-PKEET) in which the two proxies were required to cooperate to complete the equality test. Subsequently, Tang [13] proposed the construction of an all-or-nothing PKEET (AoN-PKEET).
A new scheme of PKE with a delegated equality test (PKE-DET) was proposed by Ma et al. in [14]; in a multiuser model, only the delegated party can perform the equality test. Wu et al. [15] introduced a new equality test concept that could achieve security against insider attacks. Ma [16] proposed a variant of PKEET in which a cloud server could directly execute the equality test on the ciphertexts of the specified user, realizing the security of the cloud database application. In [17], PKE-AET offered a new idea regarding two different kinds of warrants, namely, receiver warrants and cipher warrants. After a tester receives a receiver warrant from some receiver, the tester can perform the equality test on any of the receiver's ciphertext; in the second case, after a tester receives a cipher warrant associated with some ciphertext from some receiver, the tester can just execute an equality test on that ciphertext. Huang et al. [18] presented a ciphertext-binded authority (CBA) PKEET scheme. CBAs are only valid for specific ciphertexts, and they are invalid for other ciphertexts encrypted by the same public key. The concept of the filtered equality test (FET) was proposed by Huang et al. [19] where the receiver selects a set of messages and generates the corresponding warrant. After a user receives the warrant, if the plaintext corresponding to the ciphertext is in the message set, they can perform an equality test on the recipient's ciphertext. Huang et al. [20] proposed a PKE-FET scheme in which FET was also applied to construct searchable encryption. The key policy-attribute-based encryption with an equality test scheme was proposed by Zhu et al. in [21]. After the flexible scheme, a ciphertext policy-attribute-based encryption scheme was presented by Wang et al. [22] that also supported the function of the equality test.
A new authorization mechanism for efficient PKEET-FA was proposed by Ma et al. [4], which can more effectively achieve user privacy protection. The scheme was based on bilinear pairing, Lin et al. [23] made improvements on this basis and proposed a novel PKEET-FA scheme, Bilinear pairings were not used in this scheme. This protocol used a quadratic curve to do the equality test, Zhu et al. [24] used a simpler straight line for the equality test. A new concept of IBEET by combining two existing concepts PKEET and IBE was given by Ma et al. [25]. A new IBEET-FA scheme was proposed in [5]. Users can directly execute equality tests on the ciphertext, eliminating the need for complex key management.
Duong et al. [26] proposed a new PKEET scheme based on ideal lattices and a scheme based on integer lattices, both schemes can achieve CCA2-security. Ref. [27] introduced the trends in multimedia forensics, and many deep-learning-based techniques. In [28], lSusilo et al. presented a novel concept of public key encryption with multi-ciphertext equality test (PKE-MET), which enables the cloud server to perform equality tests among multiple ciphertexts. A new primitive of identity-based encryption with equality test and datestamp-based authorization mechanism (IBEET-DBA) was proposed by Lin et al. [29], in which the data owner could control the valid period of trapdoor by using datestamp. Deverajan et al. [30] presented public key encryption with equality test based on discrete logarithm problem (DLP). Considering the possible attacks on trapdoors given to cloud servers and the different computing power of the entities, Vaanchig et al. [31] introduced a notion of secure-channel-free IBEET (SCF-IBEET).

Organization
We organize the remainder of the paper as follows. The definitions of Trapdoor Discrete Log Groups and Decision Diffie-Hellman Problem are given in Section 2. Then, we give the system model, the definitions of IBEET-FA and the security model in Section 3. In Section 4, we propose a new IBEET-FA scheme without pairing. In Section 5, the security analysis of our scheme will be given. In Section 6, we will show the complexity comparison of our scheme and other related schemes. In the last section, some conclusions will be given.

Definition 1. A TDL group generator consists of algorithms TDLGen and SolveDL:
• TDLGen(k): Given security parameter k as the input, the algorithm returns a tuple (T, q, g, G) where T is used to denote the trapdoor, q is used to denote the prime order, g is used to denote a random generator, and G is used to denote a group. • SolveDL(k, (T, q, g, G), h): Given the inputs of a security parameter k, (T, q, g, G) denoting a tuple and h denoting a group element, the algorithm outputs α ∈ Z q , and h = g α holds.

Computational Diffie-Hellman (CDH) Problem
Definition 2. Let q be the prime order of group G, generator g is gotten from the running result of algorithm TDLGen in the De f inition 1, let (g, g a , g b ) be a tuple in G, for a, b ∈ Z q . It is intractable to compute g ab . A is an adversary, in probability polynomial time, the advantage of adversary A to solve the CDH problem is Adv CDH A,G (k) = P(A(g, g a , g b ) = g ab , G)

Decision Diffie-Hellman (DDH) Problem
Definition 3. Let q be the prime order of group G, generator g is gotten from the running result of algorithm TDLGen in the De f inition 1, let (g, g a , g b , g c ), (g, g a , g b , g ab ) be two tuples in G, for a, b, c ∈ Z q . It is difficult to distinguish the two tuples in this computational relationship. A is an adversary, in probability polynomial time, the advantage of A to solve the DDH problem is Adv DDH A,G (k) = |P(A(g, g a , g b , g ab ) = 1, G) − P(A(g, g a , g b , g c ) = 1, G)|

System Model and Definition
In Sections 3.1 and 3.2, we give the system model and the definition of IBEET-FA, similarly in [5]. In Section 3.3, we give the security model of IBEET-FA.

System Model
In our defined IBEET-FA scheme, we give four entities: a cloud server, a trusted third party, and two users labeled as i and j. The trusted third party generates system parameters for users and cloud service. User i and user j encrypt their data with their public key, and store ciphertext in the cloud server, and the cloud server is authorized to do equality tests on stored ciphertext, but the server does not have the ability to decrypt them. We present the IBEET-FA system model in Figure 1.

Definition of IBEET-FA
Definition 4. Our IBEET-FA scheme consists of four algorithms: • Setup(k): Taken security parameter k as the input, the public parameter pp and the master secret key msk will be gotten from the running result of the algorithm. • KeyGen(i, msk, pp): Given label i, master secret key msk, and public parameter pp as input, the algorithm returns the secret key SK = (α i , β i ). User i has the public-secret key pair (i, SK), corresponding encrypted data is CT, User j has the public-secret key pair (j, SK ), corresponding encrypted data is CT . They have four types of authorization, corresponding to four different Aut algorithms and four different Test algorithms. Aut algorithm is used to generate trapdoors for users, and the cloud service runs Test procedure to test whether or not two different encrypted data contain the same message. Aut-1: • Aut 1 (i, SK): Given user i and i's secret key SK as inputs, the authorization procedure returns a trapdoor TD 1 . • Test 1 (CT, CT , TD 1 , TD 1 ): Given the inputs of i'ciphertext CT, i'trapdoor TD 1 , j'ciphe rtext CT and j'trapdoor TD 1 , the test procedure returns 1 if two ciphertexts contain the same message, otherwise returns 0. Aut-2: • Aut 2 (SK, CT): Given the inputs of user i'private key SK and a ciphertext CT, the authorization procedure outputs a trapdoor TD 2 . • Test 2 (CT, CT , TD 2 , TD 2 ): Given the inputs of i'ciphertext CT, i'trapdoor TD 2 , j'ciphe rtext CT and j'trapdoor TD 2 , the test procedure returns 1 if two ciphertexts contain the same plaintext, otherwise returns 0. Aut-3: Aut-1: For two trapdoors of Aut 1 (i, SK) = TD 1 , Aut 1 (j, SK ) = TD 1 , the following equality always holds that Aut-2: For two trapdoors of Aut 2 (SK, CT) = TD 2 , Aut 2 (SK , CT ) = TD 2 , the following equality always holds that Aut-3: For two trapdoors of Aut 3 (SK, CT, CT ) = TD 3 , Aut 3 (SK , CT , CT) = TD 3 , the following equality always holds that Aut-4: For two trapdoors of Aut 4 (SK, CT) = TD 4 , Aut 4 (j, SK ) = TD 4 , the following equality always holds that 3. For any possible ciphertext CT of user i and any possible ciphertext CT of user j, if Decrypt(i, α i , CT, mpk) = Decrypt(j, α j , CT , mpk), where (·) be a negligible function about k: Aut-1: For two trapdoors of Aut 1 (i, SK) = TD 1 , Aut 1 (j, SK ) = TD 1 , the following equality always holds that Aut-2: For two trapdoors of Aut 2 (SK, CT) = TD 2 , Aut 2 (SK , CT ) = TD 2 , the following equality always holds that Aut-3: For two trapdoors of Aut 3 (SK, CT, CT ) = TD 3 , Aut 3 (SK , CT , CT) = TD 3 , the following equality always holds that Aut-4: For two trapdoors of Aut 4 (SK, CT) = TD 4 , Aut 4 (j, SK ) = TD 4 , the following equality always holds that

Security Model
According to the nature of our scheme, we use the IBEET-FA security models defined in [5]. Since Aut-4 is a combination of one user authorization way in Aut-1 and one user authorization way in Aut-2, we omit Aut-4 authorization queries for simplicity. Adversaries are only allowed to query for Aut-γ (γ = 1, 2, 3). We define two kinds of adversaries for the security model of our IBEET-FA scheme: • Adv-I: For Aut-γ (γ = 1, 2, 3), with Aut-γ trapdoor information, the adversary can not get the plaintext from the challenge ciphertext. • Adv-II: For Aut-γ (γ = 1, 2, 3), without Aut-γ trapdoor information, the adversary can not know the challenge ciphertext is from which plaintext.
Under chosen ciphertext and chosen identity attacks, We now define the one-wayness security (OW-ID-CCA) against Adv-I for Aut-γ (γ = 1, 2, 3) as follows: GameI: Let the receiver have index t (1 ≤ t ≤ n), and assume A 1 is a Adv-I. Between the challenger C 1 and the adversary A 1 , the game goes as follows: • Setup: Challenger C 1 firstly picks k as a security parameter, then gets public parameter pp by calling Setup algorithm, sends pp to A 1 . • Phase1: Allows A 1 to query for polynomially many times as follows.
1. Key retrieve queries: C 1 calls KeyGen(i, pp, msk) algorithm and sends SK to A 1 . call the algorithm and send the result to A 2. Decryption queries: C 1 runs Decrypt(pp, CT, α i , i) algorithm and returns M(which might be ⊥) to A 1 . 3. Authorization queries: For three types of authorization Aut-γ (γ = 1, 2, 3), (i, CT, j, CT ) as input, C 1 sends TD 3 to A 1 .
• Challenge: Adversary A 1 picks a target identity t which has not been queried in extract queries, and sends it to C 1 . Then C 1 chooses a message M t randomly, gets C * t = Encrypt(M t , t, pp) as the challenge ciphertext and sends it to A 1 . • Phase2: A 1 continues issuing the same query as Phase 1. However, t can not be queried in this phase and (t, C * t ) can not be queried in a decryption query.
We give the advantage definition of A 1 in the Game I as Definition 6. If the advantage Adv (k) is negligible for any probabilistic polynomial-time Adv-I A 1 , We say the IBEET-FA scheme is OW-ID-CCA secure for three types of authorization Aut-γ (γ = 1, 2, 3).
GameI I: Let the recipient's identity be t (1 ≤ t ≤ n), and Sets A 2 as an Adv-II adversary. Between the challenger C 2 and the adversary A 2 the game goes as follows: • Setup: Challenger C 2 firstly picks k as a security parameter, then gets public parameter pp by calling Setup algorithm, and sends pp to A 2 . • Phase1: Allows A 2 to issue polynomially times queries as in Game I. • Challenge: Adversary A 2 sends to Challenger C 2 two messages M 0 , M 1 , and a target identity t, t can not be allowed to appear in extract query or Aut-1 authorization query phase. C 2 picks a bit b ∈ {0, 1} randomly, uses encryption algorithm to get challenge ciphertext C * = Encrypt(M b , t, pp), then sends C * to A 2 . • Phase2: Allows A 2 to continue issuing queries as Phase 1, but there are some restrictions as follows:

Our Proposed IBEET-FA Scheme
In our IBEET-FA scheme, we use the advantages of the PKEET-FA scheme and IBE without pairing scheme.

The Proposed Scheme
• Setup(k): Here k is a security parameter, and it is the size of plaintext messages, the algorithm works as follows: 1. This algorithm calls the TDLGen algorithm of the TDL generator, then gets a tuple (T, G, g, q) where T is the trapdoor, G is a group, g is a random generator, and q is the prime order.  KeyGen(i, pp, msk): Choosing label i, the public parameter pp and master secret key msk as input, then calls SolveDL algorithm. H(i) as input, get a value α i ∈ Z q such that g α i = H(i). Furthermore, calls SolveDL algorithm again taking H 1 (i) as input to get a value β i ∈ Z q such that g β i = H 1 (i). Then outputs the secret key sk i = (α i , β i ). 4. Choose at random r ∈ Z q * , then compute Output the ciphertext CT = (CT 1 , CT 2 , CT 3 ). Two users are represented as u i and u j , selecting r i and r j as the randomness used in computing CT and CT . Correspondingly, compute ciphertext CT = (CT 1 , CT 2 , CT 3 ) and ciphertext CT = (CT 1 , CT 2 , CT 3 ) of u i and u j . Aut-1: • Aut 1 (i, SK): This authorization procedure returns a trapdoor TD 1 = β i . • Test 1 (CT, CT , TD 1 , TD 1 ): The test procedure performs the following calculations

It returns 1 if
, or returns 0.

Correctness
Theorem 1. By definition 2, the correctness of the above IBEET-FA scheme is proven.
Proof of Theorem 1. We now prove our IBEET-FA scheme meets all correctness requirements.
1. The first requirement is satisfied obviously. • Aut-1: Given TD 1 = β i , TD 1 = β j , get the following: Because point (x i , y i ) is taken from the ray corresponding to M i , point (x j , y j ) is taken from the ray corresponding to M j , if M i = M j means (x i , y i ) and (x j , y j ) are taken from the same ray. So • Aut-2: Given get the following: x j y j = CT 3 ⊕ TD 2 .
Because point (x i , y i ) is taken from the ray corresponding to M i , point (x j , y j ) is taken from the ray corresponding to M j , if M i = M j means (x i , y i ) and (x j , y j ) are taken from the same ray. So • Aut-3: Given get the following: Because point (x i , y i ) is taken from the ray corresponding to M i , point (x j , y j ) is taken from the ray corresponding to M j , if M i = M j means (x i , y i ) and (x j , y j ) are taken from the same ray. So TD i,2 get the following: Because point (x i , y i ) is taken from the ray corresponding to M i , point (x j , y j ) is taken from the ray corresponding to M j , if M i = M j means (x i , y i ) and (x j , y j ) are taken from the same ray. So 3. Now we prove the third condition holds. F i (x) is a ray passing through point P i = (H 3 (M i ), H 4 (M i )) with O as its endpoint, f j (x) is a ray passing through P j = (H 3 (M j ), H 4 (M j )) with O as its endpoint. Point (x i , y i ) is taken from the ray f i (x), and point (x j , y j ) is taken from the ray f j (x).
• Aut-1: If Test 1 (CT, CT , TD 1 , TD 1 ) = 1, we can get that y i x i = y j x j , that is, point (x i , y i ) and point (x j , y j ) are taken from the same ray with O as the end point. For is negligible, then we get that P[Test 1 (CT, CT , TD 1 , , that is, point (x i , y i ) and point (x j , y j ) are taken from the same ray with O as the end point. For is negligible , then we get that P[Test 2 (CT, CT , TD 2 , TD 2 ) = 1] is also negligible.

Security Analysis
We will prove two kinds of security against different adversaries in this section. For this purpose, we design several related games to connect the scheme security and the hardness problems. Suppose A is a polynomial-time adversary, allowing A to do at most q H , q H 1 , q H 2 , q H 3 , q H 4 , q H   . For an identity i, the oracle picks r i 1 ← Z q (resp.r i 2 ← Z q ) randomly, computesH(i) = g r i 1 (resp.H 1 (i) = g r i 2 ) and records the tuple (i, r i 1 , g r i 1 )(resp.(i, r i 2 , g r i 2 )) on hash list L H (resp. L H 1 ). H(i)(resp.H 1 (i)) is returned to A 1 .
O H 2 : Set original empty lists L H 2 . For an input U i , the oracle picks a string S i ∈ {0, 1} k randomly and records the tuple (U i , S i ) on hash list L H 2 .
O H 3 , O H 4 : Set original empty lists L H 3 . For an input S i , the oracle picks r i ← Z q randomly and records the tuple (S i , r i ) on hash list L H 3 .
O H 5 : Set original empty lists L H 5 . For an input U i , the oracle picks a string S i ∈ {0, 1} 2l randomly and records the tuple (U i , S i ) on hash list L H 5 .
2. Key retrieve queries: For an identity i, challenger C 1 invokes hash oracles O H , O H 1 to get hash values H(i), H 1 (i), then runs KeyGen(msk, pp, i) algorithm to get the secret key sk i = (α i , β i ). It returns sk i to A 1 . 3. Decryption queries: For an identity i, ciphertext C i , challenger C 1 invokes key retrieve queries to obtain the secret key sk i = (α i , β i ), then uses sk i to call Decrypt(pp, C i , α i , i) algorithm to obtain the message M i (which might be ⊥). It returns M i (or ⊥) to A 1 . 4. Authorization queries: For Aut-γ (γ = 1, 2, 3), (a) γ = 1: i as the input, C 1 runs Aut 1 algorithm with SK, then returns TD 1 = β i to A 1 . (b) γ = 2: (i, CT) as the input, C 1 runs Aut 2 algorithm with SK, then returns (c) γ = 3: (i, CT, j, CT ) as the input , C 1 runs Aut 3 algorithm with SK, then returns Challenge: Adversary A 1 submits to C 1 an identity t , and t has not been queried in previous extract query, C 1 randomly selects a message M t , and gets C * t = (C * t,1 , C * t,2 , C * t,3 ) with the following equations.
where the point (x t , y t ) is randomly taken from the ray passing through the point (H 3 (M t ), H 4 (M t )), and r t ∈ Z q * . Then, the challenge ciphertext C * t is sent to A 1 . • Phase2: Allows A 1 to issue the same type query as in Phase 1. However, in the key retrieve queries, t can not be allowed to query; and in the decryption queries, (t, C * t ) can not be queried. Game2: It is almost equivalent to Game 1, the modified parts are as follows: The change is that H 2 (H(t) r t ) is replaced by a random R. We can see that H 2 (H(t) r t ) is random in Game1. If H(t) r t has been queried in Game2, we call it event E. If H(t) r t has not been queried, it is difficult for A 1 to separate Game1 and Game2. We get that

Obviously, P[E] is ignorable if the CDH problem is difficult.
Game3: It is almost equivalent to Game2, the modified parts are as follows: Compared to Game2, M ⊕ R in Game3 is changed by random R 1 . R is a random string, we can konw that M ⊕ R is also a random string. So it is difficult for A 1 to separate Game2 and Game3. We have that Similarly, if CDH problem is difficult, P[Game3] is ignorable. From all the formulas obtained above, we derive the following formula We can get a conclusion: when the CDH problem is intractable, our new IBEET-FA scheme can achieve IND-ID-CCA security against Adv-I.
Proof of Theorem 3. If such an adversary A 2 exists who could attack the IND-ID-CCA security of this scheme, we then can get an algorithm to solve the DDH problem in polynomial time with not negligible advantage. For Adv-II A 2 , we design the following game to prove the IND-ID-CCA security. The probability of winning the game is expressed as For a, b, c ∈ Z q , given two tuples (g, g a , g b , g ab ), (g, g a , g b , g c ) ∈ G, C 2 computes system parameters and sends to A 2 .For the queries of A 2 , C 2 replies as following. • Setup: For i ∈ [1, n], algorithm C 2 generates n key pairs (sk i , pk i ), where sets (sk i , pk i ) = : Allows algorithm C 2 to issue four types of queries as follows. 2. Key retrieve queries: Given an identity i, C 2 searches tuple(i, r i 1 , g r i 1 ) and tuple (i, r i 2 , g r i 2 ) in list L H and list L H 1 , sends (r i 1 , r i 2 ) to A 2 when i = t holds.
Otherwise, C 2 returns ⊥ to A 2 . 3. Decryption queries: For identity i and a query ciphertext C i , challenger C 2 searches tuple(U, S) in list L H 2 , and computes M R = C 2 + S. If exists R, making equation C 1 = g R true, C 2 returns M to A 2 . Otherwise, C 2 returns ⊥ to A 2 . 4. Authorization queries: For Aut-γ (γ = 1, 2, 3), (a) γ = 1: i as the input, challenger C 2 calls Aut 1 algorithm with SK, then sends TD 1 = β i to A 2 . (b) γ = 2: (i, CT) as the input, challenger C 2 calls Aut 2 algorithm with SK, then sends TD 2 = H 5 (CT 1 β i , CT 1 , CT 2 ) to A 2 . (c) γ = 3: given (i, CT, j, CT ) as input, challenger C 2 calls Aut 3 algorithm with SK, then sends Challenge: Adversary A 2 chooses two plaintext M 0 , M 1 and an identity t, there is a contraint that t can not be queried in extract queriy phase or Aut-1 authorization query phase. C 2 picks a bit b ∈ {0, 1} randomly, then encrypts M b : challenger C 2 sends the obtained challenge ciphertext C * = (C * t,1 , C * t,2 , C * t,3 ) to the adversary A 2 .
• Phase2: A 2 issues the same type query as in Phase 1, and there are two following restrictions: 1. In the key retrieve query phase or Aut-1 authorizations query phase, i could not be allowed to query; 2. In the decryption query phase or the authorization query phase, (i, C * ) could not be queried.
• Guess: A 2 returns a bit b . If b = b holds, it means that A 2 wins the game , then C 2 outputs 1.

Efficiency Analysis
In Table 1, we describe the communication complexity of our scheme, and compare it with other schemes [4,5,23,24]. |Z p |, |G|, |G 1 | and |G T | are used to represent the size of elements in Z p , G, G 1 and G T , the second column represents the size of the public key, the third column represents the size of a private key, the four columns represent the size of ciphertext. We can see that our scheme has a smaller size than [4,23,24] in public key and ciphertext, and has a smaller size than [5] in the ciphertext.

Public Key
Secret Key Ciphertext In Table 2, we show the comparison of encryption, decryption, authorization, and test in computation complexity. We use "I", "E", and "P" to represent the inversion operation, exponentiation operation and pairing operation, respectively, and represent the comparison of the encryption process, decryption process, authorization process, and test process in computation complexity from the second to fifth columns. In the sixth column, we represent whether the scheme is identity-based, and represents whether the scheme is pairing-based in the last column. Our scheme and [5] have four authorization algorithms. Since Aut-4 is a combination of Aut-1 and Aut-2, we omit Aut-4 for simplicity. In Table 2 and Figure 2, we list the three authorization algorithms of our scheme and [5] for comparison. In the encryption algorithm, Ref. [5] requires seven exponential operations, while our scheme only requires three exponential operations. In the Aut-2 authorization algorithm, Ref. [5] requires one pairing operation, and our scheme only requires two exponential operations. In Aut-3 authorization algorithm, Ref. [5] requires two pairing operations, and our scheme only requires four exponential operations. For the two authorization processes, our scheme reduces the computation costs by 60%, respectively. Reducing the use of pairings is key to reducing computational costs. Compared with [4,23,24], our scheme and [5] are based on identity encryption. The user's public key can be a string related to the user's identity information, which avoids complicated public key certificate management and public key storage. However, Refs. [4,23,24] use public key encryption, which requires a large amount of storage and complex management. Among all the schemes we list, our scheme is the only one that can achieve both ID-based and no pairing.
From the comparison results in Figure 2, it can be seen that the calculation costs of the authorization algorithms of the three authorization methods in our scheme are significantly lower than that of the corresponding three authorization algorithms in Li et al.'s scheme [5]. Compared with other schemes [4,5,23,24], our scheme is more flexible and efficient. In cloud computing, our scheme is applicable to more application scenarios and has high practical significance.

Conclusions
In this paper, we propose a new IBE scheme without pairing, which supports the ciphertext equality test. Our scheme introduces the authorization mechanism proposed in the scheme [4], four types of authorization policies providing better flexibility. Compared with works [4,23,24], our scheme is in IBE settings, which means do not need to suffer from complex key store and distribution problems. Compared with works [5], we replaced pairing with discrete logarithms, which helps reduce the computation cost. Specifically, compared to Li et al.'s work, about 57% = (100% − 43%) time cost is saved for the encryption process, and about 60% = (100% − 40%) time costs are saved for the type-2 authorization process and type-3 authorization process. Based on mathematical assumptions, we define the security models of our scheme and prove the security of the scheme.
Our proposed approach can be applied to equality tests over ciphertexts encrypted with different public keys, which increases the application range of cloud computing. Furthermore, our scheme is in IBE settings, avoiding complex key management issues. However, there are security channel key distribution and private key escrow issues in IBE. In the future, we will try to combine the advantages of IBE and PKE to propose more secure and efficient equality test schemes.

Conflicts of Interest:
The author declares no conflict of interest.